Fastrack Blog

How to gain deeper threat insights with Microsoft Threat Protection.

Written by Brodie Hamdorf | March 13, 2020

What is Microsoft Threat Protection (MTP)?

In a word, 'handy'.

It's a single portal and a unified combination of protection tools IT admins can use to understand what's happening in their tenant without having to crawl through portal after portal.

By combining inputs from Microsoft Defender ATP, Office 365 ATP, Azure ATP, Azure AD Identity Protection and Microsoft Cloud App Security (try saying that in one breath 😅), it provides a single view of threat detection alerts, impacted resources and remediation options.
 
 
It's also not bad on the eyes, as you can see.
 

When should you use MTP?

MTP acts as the hub for viewing current incidents and alerts, view reports to track your trends, visualise your overall posture with secure score, create policies for further protection and hunt for continued threats in your organisation.

A single place for alerts.

The alert view has been the most useful when viewing all alerts across your Office tenancy. When a security threat is detected, in a single portal you'll have an immediate view of all alerts, any entities involved, the severity of the threat and its predicted impact, the category and the source. Drilling down into an individual alert you can also see a fleshed-out description of the alert and a direct link to that alert in its respective security centre.

 

Look at all those easy to digest alerts.

Generate reports across the four pillars of your environment.

Next, the report view. It provides an easy tile-based view of the four pillars of your environment: identity, data, devices and apps. In the report view, you can view any at-risk users, non-compliant or malware-affected devices and cloud application events (such as impersonations, or suspicious activity).

Limitations

Microsoft spends $1 billion (USD) a year on cyber security. That's excellent, but there are just too many different portals that need to be accessed. I remember a time where I had to use three different remotes to turn on the TV. One for the TV, set-top box and speakers. The biggest opportunity I see is to create a single portal that shows me everything from pre-to-post-breach. My TV now comes with a smart remote that controls everything... (C'mon Microsoft).

Microsoft Threat Protection is an excellent addition to their suite of tools, but ultimately it's just another portal. However, the dashboard does make it easier for you to find the relevant security centre to manage each incident, as well as providing a direct link to the incident.

From experience, there is some latency in updating the status of the alerts after they’ve been dealt with. For example, after resolving several false-positive alerts I had to wait some time before that pesky alert disappeared. However, I'd take a delayed alert resolution over no centralised portal every day of the week.

Who is it good for?

MTP has relevance for organisations of all shapes and sizes. However, organisations with small IT teams or no dedicated SOC team will benefit most. It’s also a welcome addition for MSPs (like us) who are managing security across multiple customers, as it greatly reduces the amount of navigation to retrieve actionable alerts.

The verdict

We've seen many platforms from Microsoft that have promised the world and under delivered. In saying that, what we like about Microsoft Threat Protection is that it's not promising anything new, but helping Microsoft deliver on a promise they've already made.

It's not adding to the ever-growing Microsoft Security portals. It simply a more useful and actionable way of organising data that we already had.

And that's a welcome change for any security conscious IT professional.